Identification of attack flows in a multi-tier network topology

ABSTRACT

Embodiments can provide a computer implemented method in a data processing system comprising a processor and a memory comprising instructions, which are executed by the processor to cause the processor to implement a system for network protection, the method comprising determining, by the processor, if an incoming connection comprising one or more packets has a false latency larger than a trigger latency; determining, by the processor, if an attack is currently in progress; and if the attack is in progress, injecting, by the processor, at least one of the one or more packets of the incoming connection or one or more packets of an outgoing connection with a false latency.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/787,505, filed on Oct. 18, 2017, which is incorporated herein byreference in its entirety.

TECHNICAL FIELD

The present application relates generally to a system and method thatcan be used to identify attack flows involving multiple connections, asespecially relating to multi-tiered network topologies.

BACKGROUND

In a multi-tier network topology, it is a dilemma for securityadministrators to identify attack flows where multiple connections areinvolved. Typical responses to attacks, which can include droppingpackets or resetting connections, cannot aid the administrators intracing the attacks back to the source of penetration, but instead canonly stop the attack at its final stages. Security information and eventmanagement (SIEM) products may help to correlate connections based ontheir timestamp, but this requires the administrator to log all trafficinside the environment, then filter large amounts of background trafficto find the relationship between connections, a resource-consumingprocesses which ultimately is not sustainable.

FIG. 1 illustrates the classic inability to identify the whole situationof an east-west attack. As shown, a hacker can send a malicious payloadwith SQL injection to a web site via TLS protocol. Since the traffic isencrypted, the attack will not be able to be found and blocked until theapplication server (APP Server) attempts to query the database server(DB Server). Prior art security systems would prompt an event anderroneously identify the attack was generated from an internalapplication server to another database server. However, the systemadministrator would not know where the attack originates from, and wouldnot be able to trace back to the source of the penetration.

Existing solutions either add a special signature in an L3/L4 header ordepend entirely on the application framework. These methods are notpractical in the real world once any node on the path establishes a newconnection to the next entity. Due to the sophistication ofcyber-attacks, propagation of the indicator of attacks (IOA) must beindependent from the application layer, otherwise the information willlikely be stripped in the middle and identification of the source willbe impossible.

SUMMARY

Embodiments can provide a computer implemented method in a dataprocessing system comprising a processor and a memory comprisinginstructions, which are executed by the processor to cause the processorto implement a system for network protection, the method comprisingdetermining, by the analyzing unit, if an incoming connection comprisingone or more packets has a false latency larger than a trigger latency;if the incoming connection latency is larger than the trigger latency,reporting, by the analyzing unit, the incoming connection as asuspicious connection; determining, by the analyzing unit, if an attackis currently in progress; and if the attack is in progress, injecting,by the analyzing unit, at least one of the one or more packets of theincoming connection or one or more packets of an outgoing connectionwith a false latency.

Embodiments can further provide a method further comprising calculating,by an analyzing unit, a latency distribution of one or more connectionsto each IP address in a network; and specifying, by the analyzing unit,the trigger latency.

Embodiments can further provide a method further comprising profiling,by the analyzing unit, a maximum latency; updating, by the analyzingunit, the maximum latency based upon one or more reported suspiciousconnections; and specifying, by the analyzing unit, the trigger latencyas greater than the maximum latency.

Embodiments can further provide a method further comprising injecting,by the analyzing unit, the at least one of the one or more packets ofthe incoming connection or the one or more packets of an outgoingconnection with a false latency greater than the maximum latency.

Embodiments can further provide a method further comprising detecting,by a protection unit, an external connection encounter having anabnormal latency; and performing, by the protection unit, at least oneof quarantining the external connection, resetting the abnormalconnection, redirecting the abnormal connection to a honeypot, orproviding further information to an event collector.

Embodiments can further provide a method further comprising determining,by a DDOS protection module, whether to propagate each of the one ormore connections into the network; determining, by the DDOS protectionmodule, if the system is able to propagate each of the one or moreconnections, comprising: determining, by the DDOS protection module, alast time a previous connection was propagated; comparing, by the DDOSprotection module, the last time the previous connection was propagatedagainst a predetermined delay time; if the last time the previousconnection was propagated exceeds the predetermined delay time,allowing, by the DDOS protection module, the connection to propagateinto the network.

Embodiments can further provide a method further comprising adjusting,by the DDOS protection module, the false latency based upon thepredetermined delay time.

In another illustrative embodiment, a computer program productcomprising a computer usable or readable medium having a computerreadable program is provided. The computer readable program, whenexecuted on a processor, causes the processor to perform various onesof, and combinations of, the operations outlined above with regard tothe method illustrative embodiment.

In yet another illustrative embodiment, a system is provided. The systemmay comprise one or more of a network analysis processor, a networkprotection processor, and a DDOS protection processor configured toperform various ones of, and combinations of, the operations outlinedabove with regard to the method illustrative embodiment.

Additional features and advantages of this disclosure will be madeapparent from the following detailed description of illustrativeembodiments that proceeds with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other aspects of the present invention are bestunderstood from the following detailed description when read inconnection with the accompanying drawings. For the purpose ofillustrating the invention, there is shown in the drawings embodimentsthat are presently preferred, it being understood, however, that theinvention is not limited to the specific instrumentalities disclosed.Included in the drawings are the following Figures:

FIG. 1 illustrates a prior art identification of a network attack;

FIG. 2 illustrates a flow diagram depicting the detection of an attackusing the present network protection system, in accordance withembodiments described herein;

FIG. 3 illustrates the functionality of the network protection systemduring a DDOS attack, in accordance with embodiments described herein;

FIG. 4 illustrates a flowchart depicting the functionality of thenetwork protection system, in accordance with embodiments describedherein;

FIG. 5 depicts a block diagram illustrating the components of a networkprotection system when integrated with a network, in accordance withembodiments described herein; and

FIG. 6 is a block diagram of an example data processing system in whichaspects of the illustrative embodiments may be implemented.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

As opposed to the prior art, which merely drops packets or resetsconnections, the present invention can propagate the indicator ofattacks (IOA) through multiple entities which are involved in theattack. Timing is the only attribute which can pass through multiplenodes, regardless of the application logic and network protocol. Thus,the present invention can create a new mechanism to add special latencyin a connection when an IOA is identified.

By adding latency to the packets in a particular connection, the presentinvention can propagate the indicator of attack and identify the relatedconnections, which can greatly reduce the complexity for SIEM productsto analyze the attack flows among all the east-west traffic, whereeast-west traffic comprises data traffic within a data center, asopposed to client-server traffic. After analyzing the suspiciouscandidates, a network protection product at the edge of the network canidentify patient zero (i.e., the source of the attack) and reset theconnection established by the attackers. The present invention can thenquarantine the source IP address of intruders. Identifying link affinityis a difficult problem in SIEM products and throughout the entirecyber-security area. The present invention can reduce the complexity ofidentifying attack flows with most kinds of application architecture,without requiring modification or awareness from the application itself.

FIG. 2 illustrates a flow diagram depicting the detection of an attackusing the present network protection system, in accordance withembodiments described herein. Generally, an attacker 200 will interjecta malicious payload 201 into a network, where a normal point of entry isthe load balancer 203. A particular malicious payload 201 can attack aparticular application 205, which can run in an application server 204.Through the infection of an application 205, the applications caninteract with database servers 206 containing one or more databases 207,as well as one or more file servers 208 containing one or more files209. Traditionally, the detected attack flow 210 was previouslyerroneously detected only between the interaction of the application 205with a particular database 207 being accessed. However, through theinjection of a false latency Δt 202 into the attacking connectionthrough a false latency injection mechanism, an indicator of attack canbe provided which allows corresponding SIEM products to track themalicious payload 201 back to the original attacker 200 and its point oforigin, allowing for a swifter and more effective termination of attack.This method can be used in order to prevent disturbance of theapplication logic absent IOA response logic present in the application.To the extent the application has logic capable of responding to IOA,the application can propagate the IOA information through theapplication layer of the connection.

To avoid a distributed denial-of-service (DDOS) attack, the falselatency injection mechanism may not be triggered every time an attack isdetected due to the large number of attacks that occur as part of a DDOSattack. The network protection system can also provide a procedure toavoid a DDOS attack, so the false latency injection can be triggered oneor more times solely in a configurable time window.

FIG. 3 illustrates the functionality of the network protection systemduring a DDOS attack, in accordance with embodiments described herein.Upon reception of an incoming packet 301, the system can inspect thepacket to determine the packet's characteristics and to determine if thepacket is part of the malicious payload or DDOS attack 302. Based on theinspection of the packet 302, the system can decide whether or not topropagate the connection into the network 303. If the system elects notto propagate the connection into the network, the system can deny thepacket into the network.

If the system elects to propagate the connection into the network, thesystem can then determine if the system is able to propagate theconnection 304. The system can make this determination by determiningthe last time a connection was propagated 307 against a predetermineddelay time 308. If the last propagation time 307 is less than thepredetermined delay time 308, the connection cannot be propagated, andthe system can take one or more of the original actions 306, which caninclude resetting the connection, modifying the payload (or packets), orallowing or denying the packet into the network. If the last propagationtime 307 is more than the predetermined delay time 308, the connectioncan be propagated once the system has injected a false latency delayand/or a signature into the packet through the use of a false latencyinjection mechanism 305, which can include delaying the packet'spropagation into the network (i.e., injecting a false latency). Themodified packet can then have one or more original actions 306 actedupon it, including the allowance of the modified packet through thenetwork.

Before taking any original actions 306, such as resetting connections,modifying a payload, or allowing a packet, the system can inject a falselatency when it is required. Without having to completely depend on thedetected attack/events, the network protection system can also considerthe last propagation time and the time window. With this mechanism, thenetwork protection system can avoid a DDOS attack. In an embodiment, theinjected false latency Δt can be adaptively calculated by theenvironment and the predetermined delay time, which would not causesignificant service impacts, as an administrator can easily filternormal traffic.

FIG. 4 illustrates a flowchart depicting the functionality of thenetwork protection system, in accordance with embodiments describedherein. Implementation of the network protection system can be comprisedof two parts, the first being a protection unit 401 on each workload,and the second being an analyzing unit 400, which can be located on acentral server, such as a SIEM product. In an embodiment, the analyzingunit 400 can calculate the false latency distribution of overallconnections to each IP address using a profiling mechanism and flowdata, and can profile a maximum latency Δu 402. The analyzing unit 400can then specify a trigger latency, which can be larger than the maximumallowed latency Δu. In an embodiment, the trigger latency can be greaterthan the maximum latency Δu in the given timing window. The analyzingunit 400 can then determine whether any incoming connection has a falselatency larger than the trigger latency 403. If so, the analyzing unit400 can report the suspicious connection via the flow data 407. If not,the analyzing unit 400 can update the maximum latency Δu via the flowdata 404. The analyzing unit 400 can then detect whether an attack iscurrently in progress 405. If not, the analyzing unit 400 can re-profilethe maximum latency Δu 402 and repeat the previous processes.

In the event of an attack, the analyzing unit 400 can inject themalicious payload with a false latency Δt 408. Injection of the falselatency can involve delaying the packets with the false latency by Δt.In an embodiment, Δt can be greater than Δu. In an embodiment, theinjection of the false latency Δt on the connection can occur beforetaking other actions such as resetting/closing the connection. Theaddition of the false latency creates an abnormal connection, which cancause abnormal latencies for other components in the network cloud,which can easily propagate the error with the abnormal latency spike andallow for more detailed tracking.

When the protection unit 401 on the edge encounters any externalconnection encounters having abnormal latency that was detected by theanalyzing unit 400, it may quarantine the connection 409, reset theconnection 410, redirect the connection to a honeypot 411 for thesource, or can provide further information to an event collector 412,such as a SIEM product, for further analysis.

FIG. 5 depicts a block diagram illustrating the components of a networkprotection system when integrated with a network, in accordance withembodiments described herein. In mediating the classic interactionbetween a central server 500 and a client 501, the network protectionsystem can include a false latency computation module 502 housed on thecentral server 500, as well as a server DDOS prevention module 503housed on the central server 500. Based on the flow data, API or requestprofiles, and/or any security event responses, the client 501 can inserta false latency injection 504 into a particular network stream, whichcan be used by the false latency computation module 502 to determine thepath and source of the attack, as described above. Additionally, aclient DDOS prevention module 505 can be embedded within the client 501to provide additional DDOS protection in the event of a client-side DDOSattack. The false latency computation module 502 and the server DDOSprevention module 503 can pass latency values and anti-DDOS materials,such as the predetermined time delay, from the central server 500 to theclient 501 in order for the network to have an attack mediationcapability.

FIG. 6 is a block diagram of an example data processing system 600 inwhich aspects of the illustrative embodiments, such as the user agent,authenticator, and/or authentication server, can be implemented. Dataprocessing system 600 is an example of a computer, such as a server orclient, in which computer usable code or instructions implementing theprocess for illustrative embodiments of the present invention arelocated. In one embodiment, FIG. 6 represents a server computing device,such as a server, which implements the network protection systemdescribed herein.

In the depicted example, data processing system 600 can employ a hubarchitecture including a north bridge and memory controller hub (NB/MCH)601 and south bridge and input/output (I/O) controller hub (SB/ICH) 602.Processing unit 603, main memory 604, and graphics processor 605 can beconnected to the NB/MCH 601. Graphics processor 605 can be connected tothe NB/MCH through an accelerated graphics port (AGP).

In the depicted example, the network adapter 606 connects to the SB/ICH602. The audio adapter 607, keyboard and mouse adapter 608, modem 609,read only memory (ROM) 610, hard disk drive (HDD) 611, optical drive (CDor DVD) 612, universal serial bus (USB) ports and other communicationports 613, and the PCI/PCIe devices 614 can connect to the SB/ICH 602through bus system 616. PCI/PCIe devices 614 may include Ethernetadapters, add-in cards, and PC cards for notebook computers. ROM 610 maybe, for example, a flash basic input/output system (BIOS). The HDD 611and optical drive 612 can use an integrated drive electronics (IDE) orserial advanced technology attachment (SATA) interface. The super I/O(SIO) device 615 can be connected to the SB/ICH.

An operating system can run on processing unit 603. The operating systemcan coordinate and provide control of various components within the dataprocessing system 600. As a client, the operating system can be acommercially available operating system. An object-oriented programmingsystem, such as the Java™ programming system, may run in conjunctionwith the operating system and provide calls to the operating system fromthe object-oriented programs or applications executing on the dataprocessing system 600. As a server, the data processing system 600 canbe an IBM® eServer™ System P® running the Advanced Interactive Executiveoperating system or the Linux operating system. The data processingsystem 600 can be a symmetric multiprocessor (SMP) system that caninclude a plurality of processors in the processing unit 603.Alternatively, a single processor system may be employed.

Instructions for the operating system, the object-oriented programmingsystem, and applications or programs are located on storage devices,such as the HDD 611, and are loaded into the main memory 604 forexecution by the processing unit 603. The processes for embodiments ofthe network protection system can be performed by the processing unit603 using computer usable program code, which can be located in a memorysuch as, for example, main memory 604, ROM 610, or in one or moreperipheral devices.

A bus system 616 can be comprised of one or more busses. The bus system616 can be implemented using any type of communication fabric orarchitecture that can provide for a transfer of data between differentcomponents or devices attached to the fabric or architecture. Acommunication unit such as the modem 609 or network adapter 606 caninclude one or more devices that can be used to transmit and receivedata.

Those of ordinary skill in the art will appreciate that the hardwaredepicted in FIG. 6 may vary depending on the implementation. Otherinternal hardware or peripheral devices, such as flash memory,equivalent non-volatile memory, or optical disk drives may be used inaddition to or in place of the hardware depicted. Moreover, the dataprocessing system 600 can take the form of any of a number of differentdata processing systems, including but not limited to, client computingdevices, server computing devices, tablet computers, laptop computers,telephone or other communication devices, personal digital assistants,and the like. Essentially, data processing system 600 can be any knownor later developed data processing system without architecturallimitation.

The present description and claims may make use of the terms “a,” “atleast one of,” and “one or more of,” with regard to particular featuresand elements of the illustrative embodiments. It should be appreciatedthat these terms and phrases are intended to state that there is atleast one of the particular feature or element present in the particularillustrative embodiment, but that more than one can also be present.That is, these terms/phrases are not intended to limit the descriptionor claims to a single feature/element being present or require that aplurality of such features/elements be present. To the contrary, theseterms/phrases only require at least a single feature/element with thepossibility of a plurality of such features/elements being within in thescope of the description and claims.

In addition, it should be appreciated that the following descriptionuses a plurality of various examples for various elements of theillustrative embodiments to further illustrate example implementationsof the illustrative embodiments and to aid in the understanding of themechanisms of the illustrative embodiments. These examples are intendedto be non-limiting and are not exhaustive of the various possibilitiesfor implementing the mechanisms of the illustrative embodiments. It willbe apparent to those of ordinary skill in the art in view of the presentdescription that there are many other alternative implementations forthese various elements that may be utilized in addition to, or inreplacement of, the example provided herein without departing from thespirit and scope of the present invention.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a head disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network(LAN), a wide area network (WAN), and/or a wireless network. The networkmay comprise copper transmission cables, optical transmission fibers,wireless transmission, routers, firewalls, switches, gateway computers,and/or edge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including anobject-oriented programming language such as Java, Smalltalk, C++ or thelike, and conventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computer,or entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including LAN or WAN, or the connection may be made toan external computer (for example, through the Internet using anInternet Service Provider). In some embodiments, electronic circuitryincluding, for example, programmable logic circuitry, field-programmablegate arrays (FPGA), or programmable logic arrays (PLA) may execute thecomputer readable program instructions by utilizing state information ofthe computer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operations steps to be performed on the computer,other programmable apparatus, or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical functions. In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the Figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The system and processes of the figures are not exclusive. Othersystems, processes and menus may be derived in accordance with theprinciples of embodiments described herein to accomplish the sameobjectives. It is to be understood that the embodiments and variationsshown and described herein are for illustration purposes only.Modifications to the current design may be implemented by those skilledin the art, without departing from the scope of the embodiments. Asdescribed herein, the various systems, subsystems, agents, managers, andprocesses can be implemented using hardware components, softwarecomponents, and/or combinations thereof. No claim element herein is tobe construed under the provisions of 35 U.S.C. 112, sixth paragraph,unless the element is expressly recited using the phrase “means for.”

Although the invention has been described with reference to exemplaryembodiments, it is not limited thereto. Those skilled in the art willappreciate that numerous changes and modifications may be made to thepreferred embodiments of the invention and that such changes andmodifications may be made without departing from the true spirit of theinvention. It is therefore intended that the appended claims beconstrued to cover all such equivalent variations as fall within thetrue spirit and scope of the invention.

What is claimed is:
 1. A computer implemented method in a dataprocessing system comprising a processor and a memory comprisinginstructions, which are executed by the processor to cause the processorto implement a system for network protection, the method comprising:calculating, by the processor, a latency distribution of one or moreconnections to each IP address in a network to obtain a maximum latencyof the latency distribution; determining, by the processor, whether anincoming connection comprising one or more packets has a latency largerthan a trigger latency, wherein the trigger latency is greater than themaximum latency; determining, by the processor, whether an attack iscurrently in progress; and when the attack is in progress, injecting, bythe processor, at least one of the one or more packets of the incomingconnection or one or more packets of an outgoing connection with a falselatency.
 2. The method as recited in claim 1, when the latency in theincoming connection is larger than the trigger latency, reporting, bythe processor, the incoming connection as a suspicious connection. 3.The method as recited in claim 2, further comprising: updating, by theprocessor, the maximum latency based upon one or more reportedsuspicious connections.
 4. The method as recited in claim 1, wherein thefalse latency is greater than the maximum latency.
 5. The method asrecited in claim 1, further comprising: generating, by the processor, anabnormal connection having an abnormal latency after injecting the falselatency.
 6. The method as recited in claim 5, further comprising:detecting, by the processor, the abnormal connection having the abnormallatency; and performing, by the processor, at least one of quarantiningthe abnormal connection, resetting the abnormal connection, redirectingthe abnormal connection to a honeypot, or providing further informationto an event collector.
 7. The method as recited in claim 1, furthercomprising: determining, by the processor, whether to propagate each ofthe one or more connections into the network; determining, by theprocessor, whether the system is able to propagate each of the one ormore connections, comprising: determining, by the processor, a lastperiod of time a previous connection was propagated; comparing, by theprocessor, the last period of time the previous connection waspropagated against a predetermined delay time; when the last period oftime the previous connection was propagated exceeds the predetermineddelay time, allowing, by the processor, the connection to propagate intothe network.
 8. The method as recited in claim 7, further comprising:adjusting, by the processor, the false latency based upon thepredetermined delay time.
 9. A computer program product for providingnetwork protection, the computer program product comprising a computerreadable storage medium having program instructions embodied therewith,the program instructions executable by a processor to cause theprocessor to: calculate a latency distribution of one or moreconnections to each IP address in a network to obtain a maximum latencyof the latency distribution; determine whether an incoming connectioncomprising one or more packets has a latency larger than a triggerlatency, wherein the trigger latency is greater than the maximumlatency; determine whether an attack is currently in progress; and whenthe attack is in progress, inject at least one of the one or morepackets of the incoming connection or one or more packets of an outgoingconnection with a false latency.
 10. The computer program product asrecited in claim 9, the processor further configured to: when thelatency in the incoming connection is larger than the trigger latency,report the incoming connection as a suspicious connection.
 11. Thecomputer program product as recited in claim 10, the processor furtherconfigured to: update the maximum latency based upon one or morereported suspicious connections.
 12. The computer program product asrecited in claim 8, wherein the false latency is greater than themaximum latency.
 13. The computer program product as recited in claim 8,the processor further configured to: generate an abnormal connectionhaving an abnormal latency after injecting the false latency.
 14. Thecomputer program product as recited in claim 13, the processor furtherconfigured to: detect the abnormal connection having the abnormallatency; and perform at least one of quarantining the abnormalconnection, resetting the abnormal connection, redirecting the abnormalconnection to a honeypot, or providing further information to an eventcollector.
 15. A system for providing network protection, comprising: aprocessor coupled to a memory, configured to: calculate a latencydistribution of one or more connections to each IP address in a networkto obtain a maximum latency of the latency distribution; determinewhether an incoming connection comprising one or more packets has alatency larger than a trigger latency, wherein the trigger latency isgreater than the maximum latency; determine whether an attack iscurrently in progress; and when the attack is in progress, inject atleast one of the one or more packets of the incoming connection or oneor more packets of an outgoing connection with a false latency.
 16. Thesystem as recited in claim 15, the processor further configured to: whenthe latency in the incoming connection is larger than the triggerlatency, report the incoming connection as a suspicious connection. 17.The system as recited in claim 15, wherein the false latency is greaterthan the maximum latency.
 18. The system as recited in claim 15, theprocessor further configured to: generate an abnormal connection havingan abnormal latency after injecting the false latency.
 19. The system asrecited in claim 18, the processor further configured to: detect theabnormal connection having the abnormal latency; and perform at leastone of quarantining the abnormal connection, resetting the abnormalconnection, redirecting the abnormal connection to a honeypot, orproviding further information to an event collector.
 20. The system asrecited in claim 15, the processor further configured to: determinewhether to propagate each of the one or more connections into thenetwork; determine whether the system is able to propagate each of theone or more connections, comprising: determine a last period of time aprevious connection was propagated; compare the last period of time theprevious connection was propagated against a predetermined delay time;when the last period of time the previous connection was propagatedexceeds the predetermined delay time, allow the connection to propagateinto the network.